The second wave of the Shai-Hulud provide chain assault has spilled over to the Maven ecosystem after compromising greater than 830 packages within the npm registry.
The Socket Analysis Crew mentioned it recognized a Maven Central package deal named org.mvnpm:posthog-node:4.18.1 that embeds the identical two parts related to Sha1-Hulud: the “setup_bun.js” loader and the primary payload “bun_environment.js.”
“This implies the PostHog challenge has compromised releases in each the JavaScript/npm and Java/Maven ecosystems, pushed by the identical Shai Hulud v2 payload,” the cybersecurity firm mentioned in a Tuesday replace.
It is value noting that the Maven Central package deal shouldn’t be revealed by PostHog itself. Somewhat, the “org.mvnpm” coordinates are generated by way of an automatic mvnpm course of that rebuilds npm packages as Maven artifacts. The Maven Central mentioned they’re working to implement further protections to stop already recognized compromised npm parts from being rebundled. As of November 25, 2025, 22:44 UTC, all mirrored copies have been purged.
The event comes because the “second coming” of the provision chain incident has focused builders globally with an purpose to steal delicate information like API keys, cloud credentials, and npm and GitHub tokens, and facilitate deeper provide chain compromise in a worm-like vogue. The most recent iteration has additionally advanced to be extra stealthy, aggressive, scalable, and harmful.
Moreover borrowing the general an infection chain of the preliminary September variant, the assault permits menace actors to achieve unauthorized entry to npm maintainer accounts and publish trojanized variations of their packages. When unsuspecting builders obtain and run these libraries, the embedded malicious code backdoors their very own machines and scans for secrets and techniques and exfiltrates them to GitHub repositories utilizing the stolen tokens.
The assault accomplishes this by injecting two rogue workflows, one in every of which registers the sufferer machine as a self-hosted runner and allows arbitrary command execution each time a GitHub Dialogue is opened. A second workflow is designed to systematically harvest all secrets and techniques. Over 28,000 repositories have been affected by the incident.
“This model considerably enhances stealth by using the Bun runtime to cover its core logic and will increase its potential scale by elevating the an infection cap from 20 to 100 packages,” Cycode’s Ronen Slavin and Roni Kuznicki mentioned. “It additionally makes use of a brand new evasion method, exfiltrating stolen information to randomly named public GitHub repositories as a substitute of a single, hard-coded one.”
The assaults illustrate how trivial it’s for attackers to benefit from trusted software program distribution pathways to push malicious variations at scale and compromise 1000’s of downstream builders. What’s extra, the self-replication nature of the malware means a single contaminated account is sufficient to amplify the blast radius of the assault and switch it right into a widespread outbreak in a brief span of time.
Additional evaluation by Aikido has uncovered that the menace actors exploited vulnerabilities, particularly specializing in CI misconfigurations in pull_request_target and workflow_run workflows, in present GitHub Actions workflows to tug off the assault and compromise initiatives related to AsyncAPI, PostHog, and Postman.
The vulnerability “used the dangerous pull_request_target set off in a method that allowed code provided by any new pull request to be executed through the CI run,” safety researcher Ilyas Makari mentioned. “A single misconfiguration can flip a repository right into a affected person zero for a fast-spreading assault, giving an adversary the power to push malicious code via automated pipelines you depend on on daily basis.”
It is assessed that the exercise is the continuation of a broader set of assaults concentrating on the ecosystem that commenced with the August 2025 S1ngularity marketing campaign impacting a number of Nx packages on npm.
“As a brand new and considerably extra aggressive wave of npm provide chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback harmful habits, making it probably the most impactful provide chain assaults of the yr,” Nadav Sharkazy, a product supervisor at Apiiro, mentioned in a press release.
“This malware reveals how a single compromise in a preferred library can cascade into 1000’s of downstream functions by trojanizing authentic packages throughout set up.”
Information compiled by GitGuardian, OX Safety, and Wiz reveals that the marketing campaign has leaked a whole lot of GitHub entry tokens and credentials related to Amazon Net Companies (AWS), Google Cloud, and Microsoft Azure. Greater than 5,000 information have been uploaded to GitHub with the exfiltrated secrets and techniques. GitGuardian’s evaluation of 4,645 GitHub repositories has recognized 11,858 distinctive secrets and techniques, out of which 2,298 remained legitimate and publicly uncovered as of November 24, 2025.
Customers are suggested to rotate all tokens and keys, audit all dependencies, take away compromised variations, reinstall clear packages, and harden developer and CI/CD environments with least-privilege entry, secret scanning, and automatic coverage enforcement.
“Sha1-Hulud is one other reminder that the fashionable software program provide chain remains to be method too simple to interrupt,” Dan Lorenc, co-founder and CEO of Chainguard, mentioned. “A single compromised maintainer and a malicious set up script is all it takes to ripple via 1000’s of downstream initiatives in a matter of hours.”
“The strategies attackers are utilizing are consistently evolving. Most of those assaults do not depend on zero-days. They exploit the gaps in how open supply software program is revealed, packaged, and pulled into manufacturing programs. The one actual protection is altering the way in which software program will get constructed and consumed.”
